mittal mittal - 5 months ago 7x
Linux Question

How to preserve SELinux context on a file while running from unconfined user

I am having some trouble with a couple of my files' SELinux context with my openstack-swift setup

Setup details:

A daemon is running swift-object-replicator with following SELinux context

system_u:system_r:swift_t:s0 swift ... /usr/bin/python /usr/bin/swift-object-replicator /etc/swift/object-server.conf

This daemon calls a script periodically. The file created by that script has the following SELinux context

system_u:object_r:swift_var_cache_t:s0 /var/cache/swift/object.recon

Which is correct !!

The issue

If I run the same script(which that daemon is calling internally) from a terminal as 'root', the object.recon file SELinux context is modified as below
-rw-------. swift swift unconfined_u:object_r:var_t:s0 /var/cache/swift/object.recon

And then I start seeing error messages in that daemon's log files

Any idea why the context changes and how to preserve it even if I wish to trigger the script from a terminal


I figured out 2 ways to retain the contexts:

  • Use runcon to run the command with correct context

    runcon -t swift_t -r system_r swift-object-replicator /etc/swift/object-server.conf -ov
  • Or, define a SELinux type_transition rule so that user with unconfined_t domain while executing the script transitions to the correct domain

    require {
     type unconfined_t;
     type swift_exec_t;
     type swift_t;
     role unconfined_r;
     class process transition;
    role unconfined_r types swift_t;
    type_transition unconfined_t swift_exec_t:process swift_t;